SlideShare une entreprise Scribd logo

Mobile application security

Télécharger en tant que PPTX, PDF
EY Belgium
EY Belgium

Presentation by EY infosec experts Kristof Dewulf and Yannick Scheelen about mobile applications security. Agoria Alliance WG Meeting 20/11/13

Technologie
1  sur  7
Mobile application security App Alliance WG Meeting 20 November 2013 Kristof Dewulf Yannick Scheelen
Security weaknesses and vulnerabilities Mobile devices Smartphone sales are increasing ► 3Q13 % 100 81.9 80 3Q12 ► Malware goes mobile Source: Gartner.com Source: Eset.com TrojanSMS.Agent TrojanSMS.Boxer 72.6 DroidKungFu 60 40 FakePlayer 12.114.3 20 3.6 2.3 1.8 5.2 Microsoft Blackberry 0 0 Android iOS Variants in 2012 20 40 60 80 Variants in 2011 100 120 140 160 Variants in 2010 Security threats and malware are constantly present ► August April July February July September ► Weakness in SSL cert handling exposes data to interception (iOS) ► NotCompatible gains access to local network preferences (Andriod) ► LuckyCat opens a backdoor that allows remote acces (Android) ► Lock screen of iPhone can be circumvented (iOS) ► The Android “Master Key” Exploit ► iOS 7 Lock Screen Vulnerability Discovered 2013 2012 2014 September May July April September ► HTC phone vulnerability leaks personal data (Android) ► FakeInst SMS Trojan cost end-users 30 Miljon dollars (Android) ► SMSzombie that abuses china’s SMS payment (Android) ► Apparent security certificate turns out to be Android malware ► Banking Trojans disguise attack targets in the cloud Page 2 EY - App Alliance WG meeting – 20 November
Application weaknesses and vulnerabilities More than meets the eye ► Bypass authentication or authorization controls Bypass validations or manipulate application business logic Application code review Page 3 ► ...or here ► What about injection attacks? ► Session management? ► Side channel data leakage? ► Sensitive information disclosure? ► SSL/ Insecure TLS data storage Most tests stop here… Phishing attacks? ► Application and library permissions? EY - App Alliance WG meeting – 20 November
Mobile Application Security Most common issues 1. There is too much business logic in the application ► ► The mobile devices hold the actual application binary It’s safer to perform business logic validation on central systems (e.g. web service/web server) 2. SSL/TLS not/not properly implemented ► ► Certificates’ validity are not often checked Consider certificate pinning – works perfect for mobile apps! 3. Insecure local data storage ► ► Page 4 Passwords stored in databases Personal information is stored without consent of the user (re Privacy legislation) EY - App Alliance WG meeting – 20 November
Mobile Application Security Testing Our approach Communication channel Mobile Device Objective: Identify vulnerabilities on the applications - Android, iOS or Windows. Server-side controls Objective: Identify vulnerabilities on the data communication channel. Objective: Identify vulnerabilities on the server side of the mobile application. Reverse engineer the binary using tools such as: ► Clang (static code) ► GDB ► IDA (Pro) ► Class-dump-z ► … ► Mobile applications are highly likely to operate on insecure wireless networks. ► Perform an in-depth penetration test of the server-side application. ► It is essential to review the network protocols the application uses to communicate with the server-side application. ► Perform an in-depth penetration test of the web services or API services. ► Use the information found on the local device to leverage our success. and investigate the source code for passwords, server-side keys, … but also learn how the application works! ► ► ► Perform data analysis by looking for sensitive data in databases, logs, backups, cached files, debug messages, … ► Verify application’s permissions. ► Analyze application’s business logic. ► The use of SSL/TLS is confirmed both though code review and the Burp Suite proxy tool. Perform security tests similar to other web applications tests (e.g. session management, authentication management, …). Page 5 EY - App Alliance WG meeting – 20 November
EY Our recommendations ► ► Developers: start with security in mind! Understand the threats: ► ► ► ► On the application On the channel On the server side Don’t store sensitive data on the device ► without consent of the user and without the ability for the user to remove his/her personal information ► Understand the mobile platform of your application Understand your audience ► Assess your application ► Page 6 EY - App Alliance WG meeting – 20 November
Contact details Page 7

Recommandé

News Bytes
News BytesNews Bytes
News BytesMegha Sahu
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013n|u - The Open Security Community
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareCyphort
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting CryptowallCyphort
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 

Recommandé

News Bytes
News BytesNews Bytes
News BytesMegha Sahu
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence MMW April 2016 Ransomware Resurgence
MMW April 2016 Ransomware Resurgence Cyphort
 
Security News bytes October 2013
Security News bytes October 2013Security News bytes October 2013
Security News bytes October 2013n|u - The Open Security Community
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareCyphort
 
Dissecting Cryptowall
Dissecting CryptowallDissecting Cryptowall
Dissecting CryptowallCyphort
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Mmw mac malware-mac
Mmw mac malware-macMmw mac malware-mac
Mmw mac malware-macCyphort
 
Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareMalware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareCyphort
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013Комсс Файквэе
 
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansMalware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansCyphort
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
Dickmaster
DickmasterDickmaster
DickmasterDickMaster1
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsCyphort
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecRaghunath G
 
Escan advisory wannacry ransomware
Escan advisory wannacry ransomwareEscan advisory wannacry ransomware
Escan advisory wannacry ransomwareMicroWorld Software Services Pvt Ltd
 
Wirelurker
WirelurkerWirelurker
Wirelurkeranupriti
 
Smau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSmau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSMAU
 
Regin
ReginRegin
Reginanupriti
 
Cyber Risk
Cyber RiskCyber Risk
Cyber RiskSusana Gallardo
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHydn|u - The Open Security Community
 
Protect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersProtect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersKaseya
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
49871001
4987100149871001
49871001kobe8324
 
Ransomware attacks 2017
Ransomware attacks 2017Ransomware attacks 2017
Ransomware attacks 2017Thesis Scientist Private Limited
 
Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...
Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...
Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...CSCJournals
 
Vulnerabilities on mobile Dating Applications
Vulnerabilities on mobile Dating ApplicationsVulnerabilities on mobile Dating Applications
Vulnerabilities on mobile Dating ApplicationsTabish Ali CCISO,ECSA,CHFI,CEH,COBIT5
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 

Contenu connexe

Tendances

Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareMalware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareCyphort
 
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansMalware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansCyphort
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksCyphort
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Cyphort
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsCyphort
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentationSandeep Joshi
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecRaghunath G
 
Wirelurker
WirelurkerWirelurker
Wirelurkeranupriti
 
Smau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSmau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSMAU
 
Protect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersProtect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersKaseya
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 

Tendances (19)

Malware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of MalwareMalware's Most Wanted: The Many Faces of Malware
Malware's Most Wanted: The Many Faces of Malware
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013
 
Malware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial TrojansMalware's Most Wanted: Financial Trojans
Malware's Most Wanted: Financial Trojans
 
Understanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value AttacksUnderstanding Malware Lateral Spread Used in High Value Attacks
Understanding Malware Lateral Spread Used in High Value Attacks
 
Dickmaster
DickmasterDickmaster
Dickmaster
 
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
Sony Attack by Destover Malware. Part of Cyphort Malware Most Wanted Series.
 
Most notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictionsMost notable apt_ attacks_of_2015_and_2016 predictions
Most notable apt_ attacks_of_2015_and_2016 predictions
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
 
Newsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_DecNewsbytes_NULLHYD_Dec
Newsbytes_NULLHYD_Dec
 
Escan advisory wannacry ransomware
Escan advisory wannacry ransomwareEscan advisory wannacry ransomware
Escan advisory wannacry ransomware
 
Wirelurker
WirelurkerWirelurker
Wirelurker
 
Smau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, MicrosoftSmau Milano 2016 - Paola Presutto, Microsoft
Smau Milano 2016 - Paola Presutto, Microsoft
 
Regin
ReginRegin
Regin
 
Cyber Risk
Cyber RiskCyber Risk
Cyber Risk
 
Newbytes NullHyd
Newbytes NullHydNewbytes NullHyd
Newbytes NullHyd
 
Protect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and HackersProtect Yourself Against Today's Cybercriminals and Hackers
Protect Yourself Against Today's Cybercriminals and Hackers
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
49871001
4987100149871001
49871001
 
Ransomware attacks 2017
Ransomware attacks 2017Ransomware attacks 2017
Ransomware attacks 2017
 

En vedette

Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...
Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...
Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...CSCJournals
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSecureState
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network securityChippy Thomas
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 

En vedette (7)

Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...
Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...
Prevention of Phishing Attacks Based on Discriminative Key Point Features of ...
 
Vulnerabilities on mobile Dating Applications
Vulnerabilities on mobile Dating ApplicationsVulnerabilities on mobile Dating Applications
Vulnerabilities on mobile Dating Applications
 
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and ExploitationSmart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
 
Packet capture in network security
Packet capture in network securityPacket capture in network security
Packet capture in network security
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
Phishing
PhishingPhishing
Phishing
 

Similaire à Mobile application security

Info security - mobile approach
Info security - mobile approachInfo security - mobile approach
Info security - mobile approachEY Belgium
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
A Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareA Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareIRJET Journal
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaGarvit Arya
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2SHOLOVE INTERNATIONAL LLC
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSPurna Bhat
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52Felipe Prado
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0mobileironmarketing
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmasTech and Law Center
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Denis Gorchakov
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate ITPeter Wood
 

Similaire à Mobile application security (20)

Info security - mobile approach
Info security - mobile approachInfo security - mobile approach
Info security - mobile approach
 
Mobile security
Mobile securityMobile security
Mobile security
 
Spo2 w22
Spo2 w22Spo2 w22
Spo2 w22
 
A Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile MalwareA Study on Modern Methods for Detecting Mobile Malware
A Study on Modern Methods for Detecting Mobile Malware
 
Mobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit AryaMobile Malwares Analysis - Garvit Arya
Mobile Malwares Analysis - Garvit Arya
 
Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2Sholove cyren web security - technical datasheet2
Sholove cyren web security - technical datasheet2
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
BETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoSBETTER- Threat Whitepaper- PoS
BETTER- Threat Whitepaper- PoS
 
Insecure magazine - 52
Insecure magazine - 52Insecure magazine - 52
Insecure magazine - 52
 
Mbs w23
Mbs w23Mbs w23
Mbs w23
 
Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0Mobile threat-report-mid-year-2018 en-us-1.0
Mobile threat-report-mid-year-2018 en-us-1.0
 
Computer and network security
Computer and network securityComputer and network security
Computer and network security
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Android malware overview, status and dilemmas
Android malware overview, status and dilemmasAndroid malware overview, status and dilemmas
Android malware overview, status and dilemmas
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
Countering mobile malware in CSP’s network. Android honeypot as anti-fraud so...
 
Android security
Android securityAndroid security
Android security
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attacker
 
The Consumerisation of Corporate IT
The Consumerisation of Corporate ITThe Consumerisation of Corporate IT
The Consumerisation of Corporate IT
 
Mbs f41 a
Mbs f41 aMbs f41 a
Mbs f41 a
 

Plus de EY Belgium

Addressing the challenge of the new European Union Medical Device Regulation
Addressing the challenge of the new European Union Medical Device RegulationAddressing the challenge of the new European Union Medical Device Regulation
Addressing the challenge of the new European Union Medical Device RegulationEY Belgium
 
IFRS 15 - the new revenue recognition standard
IFRS 15 - the new revenue recognition standard IFRS 15 - the new revenue recognition standard
IFRS 15 - the new revenue recognition standard EY Belgium
 
EY financial accounting advisory services - Your partner in finance
EY financial accounting advisory services - Your partner in financeEY financial accounting advisory services - Your partner in finance
EY financial accounting advisory services - Your partner in financeEY Belgium
 
European banking barometer - Belgian results
European banking barometer - Belgian results European banking barometer - Belgian results
European banking barometer - Belgian results EY Belgium
 
Human Capital Alert - may 2014
Human Capital Alert - may 2014 Human Capital Alert - may 2014
Human Capital Alert - may 2014 EY Belgium
 
Baromètre de l'Attractivité belge - résultats de perception
Baromètre de l'Attractivité belge - résultats de perception Baromètre de l'Attractivité belge - résultats de perception
Baromètre de l'Attractivité belge - résultats de perception EY Belgium
 
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten EY Belgium
 
Analyse des performances et évolution du tissu PME wallon
Analyse des performances et évolution du tissu PME wallonAnalyse des performances et évolution du tissu PME wallon
Analyse des performances et évolution du tissu PME wallonEY Belgium
 
EY global consumer banking survey - Western European highlights
EY global consumer banking survey - Western European highlights EY global consumer banking survey - Western European highlights
EY global consumer banking survey - Western European highlights EY Belgium
 
CFO Barometer - economische trends
CFO Barometer - economische trends CFO Barometer - economische trends
CFO Barometer - economische trends EY Belgium
 
EY Real Estate Asset Investment trend indicator 2014
EY Real Estate Asset Investment trend indicator 2014 EY Real Estate Asset Investment trend indicator 2014
EY Real Estate Asset Investment trend indicator 2014 EY Belgium
 
EY seminarie: Uitkeringen en roerende voorheffing
EY seminarie: Uitkeringen en roerende voorheffingEY seminarie: Uitkeringen en roerende voorheffing
EY seminarie: Uitkeringen en roerende voorheffingEY Belgium
 
European Banking Barometer: Spring/Summer 2013 - Belgian focus
European Banking Barometer: Spring/Summer 2013 - Belgian focusEuropean Banking Barometer: Spring/Summer 2013 - Belgian focus
European Banking Barometer: Spring/Summer 2013 - Belgian focusEY Belgium
 
Le Baromètre 2013 de l'Attractivité Belge
Le Baromètre 2013 de l'Attractivité Belge Le Baromètre 2013 de l'Attractivité Belge
Le Baromètre 2013 de l'Attractivité Belge EY Belgium
 
Barometer van de Belgische Attractiviteit 2013
Barometer van de Belgische Attractiviteit 2013 Barometer van de Belgische Attractiviteit 2013
Barometer van de Belgische Attractiviteit 2013 EY Belgium
 
Human Capital Fire Chat
Human Capital Fire ChatHuman Capital Fire Chat
Human Capital Fire ChatEY Belgium
 
EY barometer van de belgische attractiveness part 1 2013
EY barometer van de belgische attractiveness part 1 2013EY barometer van de belgische attractiveness part 1 2013
EY barometer van de belgische attractiveness part 1 2013EY Belgium
 
EY baromètre de l’attractivité belge partie 1 - 2013
EY baromètre de l’attractivité belge partie 1 - 2013EY baromètre de l’attractivité belge partie 1 - 2013
EY baromètre de l’attractivité belge partie 1 - 2013EY Belgium
 
Le pacte d’actionnaires
Le pacte d’actionnairesLe pacte d’actionnaires
Le pacte d’actionnairesEY Belgium
 
Atelier 5 - Protection intellectuelle entre employeur et employé
Atelier 5 - Protection intellectuelle entre employeur et employéAtelier 5 - Protection intellectuelle entre employeur et employé
Atelier 5 - Protection intellectuelle entre employeur et employéEY Belgium
 

Plus de EY Belgium (20)

Addressing the challenge of the new European Union Medical Device Regulation
Addressing the challenge of the new European Union Medical Device RegulationAddressing the challenge of the new European Union Medical Device Regulation
Addressing the challenge of the new European Union Medical Device Regulation
 
IFRS 15 - the new revenue recognition standard
IFRS 15 - the new revenue recognition standard IFRS 15 - the new revenue recognition standard
IFRS 15 - the new revenue recognition standard
 
EY financial accounting advisory services - Your partner in finance
EY financial accounting advisory services - Your partner in financeEY financial accounting advisory services - Your partner in finance
EY financial accounting advisory services - Your partner in finance
 
European banking barometer - Belgian results
European banking barometer - Belgian results European banking barometer - Belgian results
European banking barometer - Belgian results
 
Human Capital Alert - may 2014
Human Capital Alert - may 2014 Human Capital Alert - may 2014
Human Capital Alert - may 2014
 
Baromètre de l'Attractivité belge - résultats de perception
Baromètre de l'Attractivité belge - résultats de perception Baromètre de l'Attractivité belge - résultats de perception
Baromètre de l'Attractivité belge - résultats de perception
 
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten
Barometer van de Belgische Attractiviteit 2014 - perceptieresultaten
 
Analyse des performances et évolution du tissu PME wallon
Analyse des performances et évolution du tissu PME wallonAnalyse des performances et évolution du tissu PME wallon
Analyse des performances et évolution du tissu PME wallon
 
EY global consumer banking survey - Western European highlights
EY global consumer banking survey - Western European highlights EY global consumer banking survey - Western European highlights
EY global consumer banking survey - Western European highlights
 
CFO Barometer - economische trends
CFO Barometer - economische trends CFO Barometer - economische trends
CFO Barometer - economische trends
 
EY Real Estate Asset Investment trend indicator 2014
EY Real Estate Asset Investment trend indicator 2014 EY Real Estate Asset Investment trend indicator 2014
EY Real Estate Asset Investment trend indicator 2014
 
EY seminarie: Uitkeringen en roerende voorheffing
EY seminarie: Uitkeringen en roerende voorheffingEY seminarie: Uitkeringen en roerende voorheffing
EY seminarie: Uitkeringen en roerende voorheffing
 
European Banking Barometer: Spring/Summer 2013 - Belgian focus
European Banking Barometer: Spring/Summer 2013 - Belgian focusEuropean Banking Barometer: Spring/Summer 2013 - Belgian focus
European Banking Barometer: Spring/Summer 2013 - Belgian focus
 
Le Baromètre 2013 de l'Attractivité Belge
Le Baromètre 2013 de l'Attractivité Belge Le Baromètre 2013 de l'Attractivité Belge
Le Baromètre 2013 de l'Attractivité Belge
 
Barometer van de Belgische Attractiviteit 2013
Barometer van de Belgische Attractiviteit 2013 Barometer van de Belgische Attractiviteit 2013
Barometer van de Belgische Attractiviteit 2013
 
Human Capital Fire Chat
Human Capital Fire ChatHuman Capital Fire Chat
Human Capital Fire Chat
 
EY barometer van de belgische attractiveness part 1 2013
EY barometer van de belgische attractiveness part 1 2013EY barometer van de belgische attractiveness part 1 2013
EY barometer van de belgische attractiveness part 1 2013
 
EY baromètre de l’attractivité belge partie 1 - 2013
EY baromètre de l’attractivité belge partie 1 - 2013EY baromètre de l’attractivité belge partie 1 - 2013
EY baromètre de l’attractivité belge partie 1 - 2013
 
Le pacte d’actionnaires
Le pacte d’actionnairesLe pacte d’actionnaires
Le pacte d’actionnaires
 
Atelier 5 - Protection intellectuelle entre employeur et employé
Atelier 5 - Protection intellectuelle entre employeur et employéAtelier 5 - Protection intellectuelle entre employeur et employé
Atelier 5 - Protection intellectuelle entre employeur et employé
 

Dernier

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Dernier (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Mobile application security

  • 1. Mobile application security App Alliance WG Meeting 20 November 2013 Kristof Dewulf Yannick Scheelen
  • 2. Security weaknesses and vulnerabilities Mobile devices Smartphone sales are increasing ► 3Q13 % 100 81.9 80 3Q12 ► Malware goes mobile Source: Gartner.com Source: Eset.com TrojanSMS.Agent TrojanSMS.Boxer 72.6 DroidKungFu 60 40 FakePlayer 12.114.3 20 3.6 2.3 1.8 5.2 Microsoft Blackberry 0 0 Android iOS Variants in 2012 20 40 60 80 Variants in 2011 100 120 140 160 Variants in 2010 Security threats and malware are constantly present ► August April July February July September ► Weakness in SSL cert handling exposes data to interception (iOS) ► NotCompatible gains access to local network preferences (Andriod) ► LuckyCat opens a backdoor that allows remote acces (Android) ► Lock screen of iPhone can be circumvented (iOS) ► The Android “Master Key” Exploit ► iOS 7 Lock Screen Vulnerability Discovered 2013 2012 2014 September May July April September ► HTC phone vulnerability leaks personal data (Android) ► FakeInst SMS Trojan cost end-users 30 Miljon dollars (Android) ► SMSzombie that abuses china’s SMS payment (Android) ► Apparent security certificate turns out to be Android malware ► Banking Trojans disguise attack targets in the cloud Page 2 EY - App Alliance WG meeting – 20 November
  • 3. Application weaknesses and vulnerabilities More than meets the eye ► Bypass authentication or authorization controls Bypass validations or manipulate application business logic Application code review Page 3 ► ...or here ► What about injection attacks? ► Session management? ► Side channel data leakage? ► Sensitive information disclosure? ► SSL/ Insecure TLS data storage Most tests stop here… Phishing attacks? ► Application and library permissions? EY - App Alliance WG meeting – 20 November
  • 4. Mobile Application Security Most common issues 1. There is too much business logic in the application ► ► The mobile devices hold the actual application binary It’s safer to perform business logic validation on central systems (e.g. web service/web server) 2. SSL/TLS not/not properly implemented ► ► Certificates’ validity are not often checked Consider certificate pinning – works perfect for mobile apps! 3. Insecure local data storage ► ► Page 4 Passwords stored in databases Personal information is stored without consent of the user (re Privacy legislation) EY - App Alliance WG meeting – 20 November
  • 5. Mobile Application Security Testing Our approach Communication channel Mobile Device Objective: Identify vulnerabilities on the applications - Android, iOS or Windows. Server-side controls Objective: Identify vulnerabilities on the data communication channel. Objective: Identify vulnerabilities on the server side of the mobile application. Reverse engineer the binary using tools such as: ► Clang (static code) ► GDB ► IDA (Pro) ► Class-dump-z ► … ► Mobile applications are highly likely to operate on insecure wireless networks. ► Perform an in-depth penetration test of the server-side application. ► It is essential to review the network protocols the application uses to communicate with the server-side application. ► Perform an in-depth penetration test of the web services or API services. ► Use the information found on the local device to leverage our success. and investigate the source code for passwords, server-side keys, … but also learn how the application works! ► ► ► Perform data analysis by looking for sensitive data in databases, logs, backups, cached files, debug messages, … ► Verify application’s permissions. ► Analyze application’s business logic. ► The use of SSL/TLS is confirmed both though code review and the Burp Suite proxy tool. Perform security tests similar to other web applications tests (e.g. session management, authentication management, …). Page 5 EY - App Alliance WG meeting – 20 November
  • 6. EY Our recommendations ► ► Developers: start with security in mind! Understand the threats: ► ► ► ► On the application On the channel On the server side Don’t store sensitive data on the device ► without consent of the user and without the ability for the user to remove his/her personal information ► Understand the mobile platform of your application Understand your audience ► Assess your application ► Page 6 EY - App Alliance WG meeting – 20 November